The answer is that the DHCP relay interface on the switch must be configured as a DHCP snooping trusted port. When DHCP snooping is enabled, it treats all ports as untrusted by default, silently dropping DHCP server messages like those relayed from the router’s VLAN 200 interface. The router’s relay agent forwards client requests to the DHCP server, but the switch’s snooping process discards the returning offers because the incoming port is not trusted. On the CCNA 200-301 v2 exam, this scenario tests your understanding of DHCP snooping’s default behavior and the critical distinction between trusted and untrusted ports—a common trap is assuming the relay configuration alone is sufficient. Remember that DHCP snooping blocks all DHCP server messages on untrusted ports, so the port facing the DHCP server or relay agent must be explicitly trusted. A useful memory tip is “relay needs trust, or packets get bust.”
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Router# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
description VLAN 200
ip address 192.168.200.1 255.255.255.0
ip helper-address 192.168.100.10
no shutdown
!
Router# show ip dhcp relay information trusted
DHCP relay information trusted: Not configured
Router# show ip dhcp server statistics
Memory usage: 12345
Address pools: 1
Database agents: 0
Automatic bindings: 0
Manual bindings: 0
Expired bindings: 0
Malformed messages: 0
Message received:
BOOTREQUEST: 0
DHCPDISCOVER: 0
DHCPREQUEST: 0
DHCPDECLINE: 0
DHCPRELEASE: 0
DHCPINFORM: 0
Message sent:
BOOTREPLY: 0
DHCPOFFER: 0
DHCPACK: 0
DHCPNAK: 0
A network administrator has configured a DHCP server on VLAN 100 with an IP address of 192.168.100.10/24. Clients on VLAN 200 (192.168.200.0/24) report that they cannot obtain an IP address via DHCP. The router is configured with a DHCP relay on the VLAN 200 interface. The administrator checks the router configuration and verifies that the relay is in place, but clients still fail to get an address. The switch that the router and clients connect to has DHCP snooping enabled. What is the most likely cause of this issue?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Router# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
description VLAN 200
ip address 192.168.200.1 255.255.255.0
ip helper-address 192.168.100.10
no shutdown
!
Router# show ip dhcp relay information trusted
DHCP relay information trusted: Not configured
Router# show ip dhcp server statistics
Memory usage: 12345
Address pools: 1
Database agents: 0
Automatic bindings: 0
Manual bindings: 0
Expired bindings: 0
Malformed messages: 0
Message received:
BOOTREQUEST: 0
DHCPDISCOVER: 0
DHCPREQUEST: 0
DHCPDECLINE: 0
DHCPRELEASE: 0
DHCPINFORM: 0
Message sent:
BOOTREPLY: 0
DHCPOFFER: 0
DHCPACK: 0
DHCPNAK: 0
A
The DHCP server is on a different subnet and the relay address is incorrect.
Why wrong: The relay address 192.168.100.10 is correctly configured to point to the DHCP server on VLAN 100.
B
DHCP snooping is blocking the relay agent because the relay interface is not trusted.
The 'show ip dhcp relay information trusted' output shows 'Not configured', which means the relay agent is not trusting the DHCP server's responses. This causes the switch to drop DHCP server responses when DHCP snooping is enabled. The fix is to configure 'ip dhcp relay information trusted' on the interface facing the DHCP server.
C
The DHCP server is unreachable from the router.
Why wrong: The DHCP server is on the same router (VLAN 100 interface) and is reachable; the relay configuration is correct.
D
The ip helper-address command is missing from the VLAN 200 interface.
Why wrong: The exhibit shows 'ip helper-address 192.168.100.10' is configured on GigabitEthernet0/1, which is the VLAN 200 interface.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
DHCP snooping is blocking the relay agent because the relay interface is not trusted.
The scenario states that DHCP snooping is enabled on the switch. When DHCP snooping is active, it discards DHCP messages received on untrusted ports. The router's VLAN 200 interface, which is configured as a DHCP relay agent, must be configured as a trusted port for DHCP snooping; otherwise, the relayed messages are silently dropped. Option A is incorrect because the relay address is correctly pointing to the DHCP server's subnet. Option C is too generic and unlikely since the router and switch are directly connected. Option D is incorrect because the relay is verified to be in place. Therefore, the most likely cause is DHCP snooping blocking the relay agent due to the relay interface not being trusted.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The DHCP server is on a different subnet and the relay address is incorrect.
Why it's wrong here
The relay address 192.168.100.10 is correctly configured to point to the DHCP server on VLAN 100.
✓
DHCP snooping is blocking the relay agent because the relay interface is not trusted.
Why this is correct
The 'show ip dhcp relay information trusted' output shows 'Not configured', which means the relay agent is not trusting the DHCP server's responses. This causes the switch to drop DHCP server responses when DHCP snooping is enabled. The fix is to configure 'ip dhcp relay information trusted' on the interface facing the DHCP server.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
The DHCP server is unreachable from the router.
Why it's wrong here
The DHCP server is on the same router (VLAN 100 interface) and is reachable; the relay configuration is correct.
✗
The ip helper-address command is missing from the VLAN 200 interface.
Why it's wrong here
The exhibit shows 'ip helper-address 192.168.100.10' is configured on GigabitEthernet0/1, which is the VLAN 200 interface.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓DHCP snooping is blocking the relay agent because the relay interface is not trusted.Correct answer▾
Why this is correct
The 'show ip dhcp relay information trusted' output shows 'Not configured', which means the relay agent is not trusting the DHCP server's responses. This causes the switch to drop DHCP server responses when DHCP snooping is enabled. The fix is to configure 'ip dhcp relay information trusted' on the interface facing the DHCP server.
✗The DHCP server is on a different subnet and the relay address is incorrect.Wrong answer — click to see why▾
Why this is wrong here
The relay address 192.168.100.10 is correctly configured to point to the DHCP server on VLAN 100. The issue is not with the relay address being incorrect.
Why candidates choose this
Students often think that DHCP relay requires the server to be on a different subnet, but here the server is on a different VLAN (100) and the relay address is correct. They might assume the address is wrong because clients are on a different subnet.
✗The DHCP server is unreachable from the router.Wrong answer — click to see why▾
Why this is wrong here
The DHCP server is on the same router (VLAN 100 interface) and is reachable; the relay configuration is correct. The server is not unreachable.
Why candidates choose this
A common troubleshooting step is to check reachability. Since clients cannot get IP addresses, one might assume the server is unreachable, but the router can reach it directly.
✗The ip helper-address command is missing from the VLAN 200 interface.Wrong answer — click to see why▾
Why this is wrong here
The exhibit shows 'ip helper-address 192.168.100.10' is configured on GigabitEthernet0/1, which is the VLAN 200 interface. The command is present.
Why candidates choose this
The 'ip helper-address' command is essential for DHCP relay. If a student misses the exhibit or misreads it, they might think the command is missing.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the misconception that a correctly configured DHCP relay alone guarantees DHCP operation, ignoring that DHCP snooping can silently drop relayed messages if the relay interface is not trusted.
Trap categories for this question
Command / output trap
The exhibit shows 'ip helper-address 192.168.100.10' is configured on GigabitEthernet0/1, which is the VLAN 200 interface.
Detailed technical explanation
How to think about this question
DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding table. When enabled, the switch treats all ports as untrusted by default, including the router interface acting as a DHCP relay agent. The relay agent must be explicitly configured as a trusted port using the 'ip dhcp snooping trust' interface command; otherwise, DHCP packets from the relay are dropped, preventing clients from obtaining addresses even though the relay configuration is correct.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Network Services and Security — This question tests Network Services and Security — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: DHCP snooping is blocking the relay agent because the relay interface is not trusted. — The scenario states that DHCP snooping is enabled on the switch. When DHCP snooping is active, it discards DHCP messages received on untrusted ports. The router's VLAN 200 interface, which is configured as a DHCP relay agent, must be configured as a trusted port for DHCP snooping; otherwise, the relayed messages are silently dropped. Option A is incorrect because the relay address is correctly pointing to the DHCP server's subnet. Option C is too generic and unlikely since the router and switch are directly connected. Option D is incorrect because the relay is verified to be in place. Therefore, the most likely cause is DHCP snooping blocking the relay agent due to the relay interface not being trusted.
What should I do if I get this 200-301 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Which TWO actions does DHCP snooping perform by default on a Cisco switch?
medium
✓ A.It blocks DHCP server messages received on untrusted ports.
B.It generates a Cisco Discovery Protocol packet for each DHCP request.
✓ C.It builds a DHCP binding table.
D.It relays DHCP requests across VLANs.
E.It converts DHCP broadcasts into unicasts.
Why A: DHCP snooping is a Layer 2 security feature that filters DHCP messages and builds a binding table. By default, it blocks DHCP server messages on untrusted ports and dynamically creates a binding table mapping IP addresses to MAC addresses. It does not relay requests across VLANs or convert broadcasts to unicasts (those are relay agent functions).
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.